Thanks to visit codestin.com
Credit goes to lwn.net

|
|
Log in / Subscribe / Register

My only gripe...

My only gripe...

Posted Apr 13, 2018 20:09 UTC (Fri) by rdfm (subscriber, #50178)
Parent article: A new package index for Python

Is that there isn’t a big honkin’ warning on python.org’s homepage stating why old python distributions with non up to date OpenSSL libraries are broken.

At work we noticed the TLS brownouts but since there was nothing prominent thought there was some temporary problem. We didn’t find the post on PSF blog and we didn’t look at the pypi status page. When the TLS blackout started it took us a week to update all our old python installs for legacy systems and we still need to figure out client advice.

I would suggest that such future infrastructure changes be prominently advertised on the python.org homepage (in advance)

to post comments

My only gripe...

Posted Apr 13, 2018 22:29 UTC (Fri) by sumanah (guest, #59891) [Link] (2 responses)

Hi, rdfm. Thanks for sharing your problem. I'm linking to it in an issue where we're talking about making the error more obvious/transparent: https://github.com/pypa/packaging-problems/issues/130 I've suggested that we put an announcement on http://blog.python.org/ , which syndicates to www.python.org .

For reference (for other folks): PyPI has just turned off support for TLS versions 1.0 and 1.1 (announcement on the general Python announcement email list: https://mail.python.org/pipermail/python-announce-list/20... ). Also, on June 30, 2018, all Python.org sites are going to entirely stop supporting TLS versions 1.0 and 1.1, because PyPI's CDN provider, Fastly, is deprecating support for those versions (blog post: https://pyfound.blogspot.com/2017/01/time-to-upgrade-your... ).

We're seeing that some users of older versions of OpenSSL are affected. Users of OS X versions 10.12 and below who use Python are particularly affected by this deprecation, as the Apple-supplied system Python (version 2.7) links to an older version of OpenSSL, so "pip install" now fails for them. A detailed explanation of that is in https://github.com/pypa/warehouse/issues/3293#issuecommen... . Upgrading pip to 9.0.3 will generally fix the issue. To upgrade affected clients, run:

curl https://bootstrap.pypa.io/get-pip.py | python

Whenever anyone has trouble `pip install`ing anything, I hope they turn up the verbosity with `-vv` to check the error message and check the PyPI/python.org status page http://status.python.org/ . And we've just started up a pretty low-traffic PyPI announcement email list https://mail.python.org/mm3/mailman3/lists/pypi-announce.... that would probably be good for folks to subscribe to if they are at companies that depend on PyPI.

My only gripe...

Posted Apr 14, 2018 6:25 UTC (Sat) by zdzichu (subscriber, #17118) [Link] (1 responses)

> curl … | python

Would you please do not spread such horrible antipatterns?

advising users on how to upgrade pip

Posted Apr 14, 2018 15:14 UTC (Sat) by sumanah (guest, #59891) [Link]

I genuinely welcome a better suggestion for a one-liner command-line invocation (for use in things like tweets and announcement emails) that gets the user the latest pip (see the opening comment here on why and how the whole of pip is contained in that file), verifies the SSL certificate, and works on all supported versions of Mac OS X and approximately all Linux distros (including headless systems).

For audiences and contexts like this one, perhaps this suggestion is better:

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

# Inspect get-pip.py for any malevolence. Then run the following:

python get-pip.py


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds